Adobe Flash zero day vulnerability exploited by hackers to infect IE and Firefox users

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Adobe FlashAdobe has warned that online criminals are attacking Internet Explorer and Firefox users via an as-yet-unpatched zero day vulnerability in Adobe Flash.

In a security advisory, Adobe says it plans to issue an emergency update for Flash this week patching the vulnerability known as CVE-2015-0313.

A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

Adobe expects to release an update for Flash Player during the week of February 2.

Sign up to our free newsletter.
Security news, advice, and tips.

However, that will be too late for thousands of computer users who – according to Trend Micro – have been had their computers infected by visiting sites serving up malicious adverts that exploit the critical flaw.

Popular video-sharing site Dailymotion is said to have been one site seen distributing the malware attack via poisoned adverts.

This is, of course, the third time in the last few weeks that a zero-day vulnerability has been found in Adobe Flash. And it wouldn’t be any surprise at all if some computer users are feeling somewhat bruised by the bombardment of alerts and warnings.

Further reading: How to enable Click-to-Play in Adobe Flash.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

7 comments on “Adobe Flash zero day vulnerability exploited by hackers to infect IE and Firefox users”

  1. Tom Martin

    As a newcomer to your site and alerts, this is much appreciated.

  2. Nigel

    What is it about Flash that seems to make it such an attractive target for ne'er-do-wells?

    Thanks for a most helpful article!

    1. Austin · in reply to Nigel

      Flash is a very common, and widely used platform. 11.8% of the entirety of the web uses embedded flash in the construction of their webpages. This does not include the ads that you see displayed upon your page. Here are some of the more popular pages using it:
      Google.com
      Yahoo.com
      Mail.ru
      Bbc.co.uk
      Adobe.com
      Dailymotion.com
      Alipay.com
      Dropbox.com
      Youtube.

      As you can see Flash hits a very large target audience. Now lets look a little more deeper Flash is unique in much the way Java (another heavily attacked plugin) is that it isn't only found on one operating system or even browser. You're seeing it in IE, Firefox, Chrome, and any of the smaller distro's. This gives attackers a large range of end user's they can hit with exploits. Hope that somewhat clears things up?

      The statistics I stated came from here.
      http://w3techs.com/technologies/details/cp-flash/all/all

  3. Spryte

    I've found I can live quite well without Flash on my system. Had to rebuild last year and never bothered re-installing.
    No more Flash headaches!

  4. Cyber Functions

    It is sad to see that a site such as this still confuses with the meaning of the word hacker, and misuses it.

    quoted from GNU:

    A hacker is someone who enjoys playful cleverness—not necessarily with computers. The programmers in the old MIT free software community of the 60s and 70s referred to themselves as hackers. Around 1980, journalists who discovered the hacker community mistakenly took the term to mean “security breaker.”

    Please don't spread this mistake. People who break security are “crackers.”

    ———————–

    refer: https://www.gnu.org/philosophy/words-to-avoid.html#Hacker

    1. I do have some sympathy with your pedantry over the term "hacker". Really, I do.

      But the folks who are trying to preserve the old definition of the word "hacker", and want to exclude the use of it being used to describe bad guys, are missing the fact that the world sadly has moved on.

      One of the challenges we all face is that computer security is it is no longer an issue just of interest to those of us with a technical bent. It's also a problem for everybody with a computer. It's an issue for the woman who does my ironing, the vicar down the lane, my grandparents and your children.

      Many of us are nostalgic for the language of yesteryear but it's more important that we spread advice and information using words that people understand, rather than tie ourselves in knots of our own making.

      I view the word "hacker" as something that can be used to describe both good guys and bad guys, but the general public is most likely to associate it with criminality.

      Some people don't like that of course. But language is dynamic and evolves, and you're not going to outshout the general media, so we better get used to it and accept it.

    2. someone else · in reply to Cyber Functions

      Like you, I wish it was still "hacker/cracker". Now there is no word for what used to be "hackers", probably because the concept is so foreign to the media and the public-at-large. People who fix things for other people just for the fun and satisfaction? What, are they crazy? So "hacker" now means only the bad guys. And the world trends toward dumb and simple.
      It was inevitable. Just remember the Jeffrey Theorem: Average people are so below average.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.